1-2
Enabling Forwarding of Directed Broadcasts to a Directly Connected Network
If a device is enabled to receive directed broadcasts, the device will determine whether to forward them
according to the configuration on the outgoing interface.
Follow these steps to enable the device to forward directed broadcasts:
To do… Use the command… Remarks
Enter system view
system-view
—
Enter interface view
interface interface-type
interface-number
—
Enable the interface to forward
directed broadcasts
ip forward-broadcast [ acl
acl-number ]
Required
By default, the device is
disabled from forwarding
directed broadcasts.
z If an ACL is referenced in the ip forward-broadcast [ acl-number ] command, only packets
permitted by the ACL can be forwarded.
z If you repeatedly execute the ip forward-broadcast acl [ acl-number ] command on an interface,
the last executed command takes effect only. If the command executed last time does not include
the acl acl-number, the ACL configured previously will be removed.
Configuring TCP Attributes
Enabling the SYN Cookie Feature
As a general rule, the establishment of a TCP connection involves the following three handshakes:
1) The request originator sends a SYN message to the target server.
2) After receiving the SYN message, the target server establishes a TCP connection in the
SYN_RECEIVED state, returns a SYN ACK message to the originator, and waits for a response.
3) After receiving the SYN ACK message, the originator returns an ACK message. Thus, the TCP
connection is established.
Attackers may mount SYN Flood attacks during TCP connection establishment. They send a large
number of SYN messages to the server to establish TCP connections, but they never make any
response to SYN ACK messages. As a result, a large amount of incomplete TCP connections are
established, resulting in heavy resource consumption and making the server unable to handle services
normally.
The SYN Cookie feature can prevent SYN Flood attacks. After receiving a TCP connection request, the
server directly returns a SYN ACK message, instead of establishing an incomplete TCP connection.
Only after receiving an ACK message from the client can the server establish a connection, and then
enter the ESTABLISHED state. In this way, large amounts of incomplete TCP connections could be
avoided to protect the server against SYN Flood attacks.
To Next Page
Loading...
Need help?
General